Fraudsters hone tactics as U.S. embraces EMV compliance

Companies need to batten down hatches as credit card processing changes

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

As an Octo­ber man­date requir­ing chips in cred­it cards approach­es, crim­i­nals are chang­ing their tactics.

Many fraud­sters have dis­con­tin­ued sev­er­al of the in-per­son or card-present fraud tac­tics that they have used in the past,” says CEO John Dan­cu of Atlanta-based IDol­o­gy, which pro­vides tech­nol­o­gy solu­tions that ver­i­fy an individual’s iden­ti­ty or age in a cus­tomer-not-present envi­ron­ment. “Instead, crim­i­nals are mov­ing to the card-not-present envi­ron­ment, such as online or in a call center.”

John Dancu, IDology CEO
John Dan­cu, IDol­o­gy CEO

The Unit­ed States is the world’s final mar­ket, accord­ing to, to become EMV-com­pli­ant. EMV is an acronym for Euro­pay, Mas­ter­Card and Visa. Adding a chip to cred­it cards will make it near­ly impos­si­ble to coun­ter­feit them, so fraud­sters are turn­ing their atten­tion elsewhere.

Wide­spread data breach­es at many organizations—such as recent mas­sive cyber­se­cu­ri­ty breach­es at the U.S. Office of Per­son­nel Man­age­ment that stole the per­son­al infor­ma­tion of more than 20 mil­lion individuals—has made “a large amount of con­sumer infor­ma­tion avail­able for cyber crim­i­nals to use as they wish,” Dan­cu says.

Secu­ri­ty & Pri­va­cy Week­ly News Roundup: Stay informed of key pat­terns and trends

Fraud­sters are now able to pur­chase what we call a ‘per­fect iden­ti­ty’ from places like the Dark Web,” he says. The Dark Web is Inter­net con­tent that requires spe­cial soft­ware or autho­riza­tions to access and is fre­quent­ly used by criminals.

A per­fect iden­ti­ty has enough qual­i­fy­ing per­son­al data for attempt­ing to open a fraud­u­lent account or fil­ing a false tax return,” Dan­cu says. “For orga­ni­za­tions oper­at­ing in this envi­ron­ment, lay­ered solu­tions are need­ed to pre­vent fraud, while still lim­it­ing the fric­tion dur­ing card-not-present transactions.”

Num­ber of fraud attempts inch­es up

Accord­ing to IDology’s 2014 fraud report—based on respons­es from 60 senior exec­u­tives who are IDol­o­gy cus­tomers pri­mar­i­ly in the finan­cial ser­vices, health care and retail industries—87 per­cent of respon­dents said their orga­ni­za­tions had expe­ri­enced sus­pect­ed fraud attempts in the past 12 months. That was a big increase over the 66 per­cent who expe­ri­enced sus­pect­ed fraud in IDology’s 2013 fraud report.

In the 2013 report, sus­pect­ed fraud appeared to be most preva­lent in the finan­cial ser­vices and bank­ing indus­tries. Only 33 per­cent of health care indus­try respon­dents said they expe­ri­enced sus­pect­ed fraud.

In the 2014 report, how­ev­er, the fraud attempts “appear to have sim­i­lar­ly impact­ed all indus­tries.” Sev­en­ty-five per­cent of health care respon­dents said that they had expe­ri­enced sus­pect­ed fraud in the past 12 months.

The 2014 report revealed that web­site appli­ca­tions “con­tin­ue to bear the brunt of attempt­ed fraud.” More than 85 per­cent of sur­vey respon­dents said that sus­pect­ed fraud was most preva­lent with­in such applications.

Phish­ing con­tin­ues to be an issue,” Dan­cu says. “In our fraud report, we saw a sig­nif­i­cant decrease in the amount of respon­dents say­ing that their indus­try is pre­pared to detect and pre­vent this type of fraud. This could be due to the increase in sophis­ti­ca­tion fraud­sters deploy in their phish­ing schemes.”

Mobile fraud is increas­ing, the IDol­o­gy exec­u­tive says. “From mobile account takeovers to mobile caller ID spoof­ing, mobile mal­ware, sub­scriber fraud with man-in-the-mid­dle attacks, cell phone cloning and fake cell tow­ers, more and more fraud schemes are being dis­cov­ered every day.”

Dan­cu says he can­not pro­vide much detail about spe­cif­ic cyber crim­i­nal attacks against his cus­tomers, because “we don’t want to pro­vide a roadmap for fraudsters.”

Crim­i­nals sharp­en their strategy

Cyber crim­i­nals, he says, are con­stant­ly evolv­ing their tac­tics. “Orga­ni­za­tions of all sizes from all indus­tries are per­pet­u­al­ly striv­ing to evolve with the fraud land­scape,” he says. “That is why it’s impor­tant for them to enable a robust iden­ti­ty-ver­i­fi­ca­tion and fraud-pre­ven­tion pro­gram that is extreme­ly con­fig­urable and can eas­i­ly mold with chang­ing fraud tactics.”

Fraud­sters are not tar­get­ing one orga­ni­za­tion or one indus­try at a time, Dan­cu says.

Through IDology’s iden­ti­ty ver­i­fi­ca­tion and fraud plat­form, we are able to see, in real time, how these fraud­sters jump from orga­ni­za­tion to organization—to the paths of least resis­tance,” he says.

All IDol­o­gy cus­tomers share infor­ma­tion in the company’s Col­lab­o­ra­tive Fraud Net­work, and they say that work­ing col­lec­tive­ly “is the most effec­tive way to reduce risk and stop fraud,” Dan­cu says.

Cyber-crim­i­nal attacks “are def­i­nite­ly glob­al,” he says. “Plus, fraud­sters can employ a vari­ety of meth­ods to hide iden­ti­ty and loca­tion online.”

In the Unit­ed States, “sus­pect­ed fraud activ­i­ty appears to be cen­tral­ly locat­ed with hotspots” in south Flori­da, north­west Geor­gia and the New York-New Jer­sey area, Dan­cu says.

Despite all the fraud­u­lent activ­i­ty, orga­ni­za­tions must keep in mind they have plen­ty of above-board customers.

When it comes to an iden­ti­ty ver­i­fi­ca­tion and fraud pre­ven­tion pro­gram, it is impor­tant to remem­ber that the major­i­ty of cus­tomers are actu­al­ly legit­i­mate,” Dan­cu says. “The goal is to ensure that the good cus­tomers quick­ly and eas­i­ly gain access to prod­ucts and ser­vice, and, when there are fraud flags present, then you raise the lev­el of ver­i­fi­ca­tion to ensure that the cus­tomer is who they say they are.”

More on secu­ri­ty risks, solutions:
Health care, bank­ing com­pa­nies issue eas­i­ly spoofed emails
Cyber insur­ance ris­es to meet increas­ing secu­ri­ty challenges
Hack­ers dig deep­er, use net­work tools to do their dirty work


Posted in Data Security, Featured Story